Friday, May 27, 2005

I've been working with Webroot Software's Spam Shredder product. Spam Shreder (SS) is a program that runs on your PC and is in effect a semi-transparent POP3 mail proxy that passes through just the non-spam messages.

After installation, you configure SS to point to your real POP3 server but without any authentication details. You then point your mail client to your own computer (127.0.0.1) but to a special port that's opened by Spam Shreder. Your mail client then connects to SS thinking it's the real POP 3 server - SS just passes the authentication details direct from your client through to the real POP 3 server.

As SS gets each mail from the real POP3 server, the message is analysed and if NOT spam, it gets delivered. If SS thinks the message really is spam, it passes your mail client a dummy message which you can just throw away. The reason for this is simple: when your mail client asks the server for how many messages exist, SS can't know how many are spam - so it's got to send one message to the mail client for every message on the server. In my case, I just drop the dummy message.

Interestingly, although SS installs to a local machine, and appears to be just local, it does work across the network. I pointed my mail client on my laptop to SS running on my workstation, specifying the special port created by SS. It is a little slow, and I find my mail client sometimes times out and drops the connection to SS.

SS itself quarentines suspect mails - you can view the quarentine and ask SS to deliver non spam messages - or delete the rest. You also get a list of mail delivered, which you can tell SS is or is NOT spam, and the more spam it gets the more accurate it becomes. SS also has white/black lists - so some senders can get straight through, while black listed senders do not.

My results are pretty good. Thus far, there have been a couple of false positives, but out or a total of 244 mails, 2 were false positives, and 151 were dropped as spam. The two that were false positives were ones that came from a mailing list, contained lots of HTML and other junk. Both false positives were put onto the white list so won't be dropped again.

I'll have to do a more thorough test over the coming days. Oh - and the cost is $29.95.

Like Robert McLaws, I've seen IIS7 a couple of times over the past few months, but could not disclose much about it. But now the lid's off, and some folks have started! See href="http://www.longhornblogs.com/robert/archive/2005/05/25/14114.aspx">Robert McLaws blogs about IIS7 for more on IIS7. I agree that it is looking very cool.

Microsoft yesterday announced new toosl to help reduce spam. First, there's the MSN Postmaster web site, http://postmaster.msn.com/ which was "developed to give bulk e-mailers/senders, ISPs, e-mail service providers (ESPs), postmasters, and domain administrators a location to learn more about issues and solutions related to sending communications to MSN Hotmail consumers."

The second feature is known as Smart Network Data Services, (SNDS). SNDS generates reports on the mail traffic that is sent to MSN Hotmail and Hotmail customers. This can help an ISP, for example, to deteming the volume of e-mail being sent from its IP space to MSN Hotmail, how that e-mail is impacted by MSN Hotmail spam filtering, and what percentage of its e-mail has been marked as spam by MSN Hotmail and MSN customers. This can help the ISP to take appropriate action in cases of zombies, or spammers using their network to send bulk spam.

Thursday, May 26, 2005

PC Pro reports that Vodafone introduces a revolutionary 'simple' mobile phone. It's just a phone. It's not a PDA, not a mini-laptop, not a mini-tv. It's a phone. What a concept - a phone that's just a phone!

In USA Today,
there is a report of a man trapped overnight in a lift due to nonpayment of a phone bill. The man was working in a government building over the weekend, went to the lift which broke down and he became stuck. The emergency phone did not work because the phone bill had not been paid. And the emergency bell wasn't much good since there was no one in the building to hear it. He eventually got out when a cleanign crew arrived

Not a great way to spend the evening. But it does drive home the importance of paying your bills on time. As it turns out, the phone company appears partly at fault as they sent the bill to the wrong place.

A beta for the latest version of the Google tool bar has been released as a web download (just over 500kb). PC magazine has a review of the beta which looks nice! When I used IE as my main browser I found the Google tool bar a great add-in, but as I now mainly use FireFox, this tool bar, which is IE only, is less useful. ill, it's nice that there are some nice new features. One I especially like is the spell checker for web forms. When I do blog entries for http://securitybiz.blog.co.uk, for example, their web based blog engine has no spell checker, so the spell checker would be useful.

This blog has had a fair number of mentions about Google lately. I guess that's because they are constantly pumping out cool stuff. Google certainly is doing some interesting things. It's no wonder MS is a little nervous about them.

Sunday, May 22, 2005

Google's featured a lot in this blog of late. It's not really intentional, maybe it's because they're doing interesting things. The Google story on Forbes Magazine's site is very interesting. It gives some insight into Microsoft's battle in the search engine space. It's quite a long article, but worth the read.

Friday, May 20, 2005

Google's experimental Portal Page is good enough for your home page. Released earlier this week, the /ig page provides you with a good browser home page. It appears like the world and her brother have blogged this - so if you haven't seen it yet, head over and check it out. Most of the features, however, appear to be US only (e.g weather requries a US zip code, etc).

Thursday, May 19, 2005

Now this sounds incredibly cool - a handset that will switch seamlesslly between GPRS and WLAN.
BUSINESS WIRE reports that US company Calypso Wireless, Inc has done a deal with Franc Telecom, Ltd. to distribute real time two way video conferencing
broadband WiFi-GSM/GPRS mobile telephones in the UK by the 4th quarter of this year.

Monday, May 16, 2005

One feature of IIS that has often been requested is some way of removing all traces of the server version. If you surf to www.psp.co.uk, the server rather gives away what version of IIS is running. Doing a get on my site produces, inter alia, the following headers:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET

Knowing that this site is runing IIS 5 tells the potential cracker a lot about the OS that's runnning (i.e. Windows 2000) and therefore what attacks may work, or which do not work on that platform.

Port80's ServerMask product strips off the banners indicating what version of IIS you are running. Which in turn just adds another layer of protection to your defense in depth strategy.

Several pieces of phish/spam hit my email box today - with perhaps the most truthful subject line I've seen in a long time: "We just offer to you take your MONEY!" Yup - were I to go to their phishing site, all they can offer me is to take my money! I wonder how many suckers they'll get on this one?

Both blogs are pretty developer oriented, and require the reader to be able to read a bit of code! James has started looking at Indigo, while Dave is writing longer pieces on (at the moment) Windows Forms. Interesting reading!

I can't tell if this is just an April Fool's joke, or real - but idea of 256GB NON-VOLITILE RAM chips is pretty neat. It's more than large enough to replace a hard disk - and just think of the potential battery life without the hard disk spinning.

But take a look at the two laptops the company has announced:an ultra lite Tablet pc that sounds a bit too good to be true: 100GB/256GB AtomChip NVRAM and Storage, 4.0GHz AtomChip CPU, 8.9" 16:9 wide view color TOSHIBA LTPS TFT LCD with (32-bit) 1024 x 600 (XGA-W ) high resolution display, with tablet capabilities. There's a slighly larger laptop with similar specc although a small-ish screen (but with all the other goodies one could want). The site does not appear to display prices so no idea on that.

Saturday, May 14, 2005

As most IT Pros know, Wireless Encryption Protocol (WEP) as originally designed is not very secure. While better than nothing, it's not a great deal better and is easily cracked. In a great Cable Guy article, The Cable Guy (aka Joe Davies) explains WPA2 in the latest installment of his monthly TechNet column. A great introduction to WPA2. And there's an update to Windows XPSP2 to allow you to use WPA2.

[later]

I agree with the point Barry makes in the comments: you need up to date drivers for your network cards. Not all manufacturers are totally up to speed.

Thursday, May 12, 2005

The eLearning network are holding a conference on On-Line Communities. Lorna Williamson, from Microsoft, is one of the speakers and I'll be on stage as part of her presentation, discusising the MVP programme. For more information on the conference, see the
eLearning Network future conference page.

On May 9th, Mozilla issued a security advisory citing two critical flaws in Firefox 1.03 (the shipping version). An updated version 1.04 is now available from the FireFox download page. If you run FireFox, upgrade now!

Thanks to a post over on Benjaman Mitchel's blog, I took a look at WinDirStat. A pretty cool program that looks through the folders on a volume and displays the results in traditional directory listing format, but also as set of prettily coloured rectangles sized according to the size of the actual folder. THis is shown on Ben's blog (I'd include a picture here, but it's huge!).

The idea is that a group shares a privte IM and blog space. The blogs can be the ideas one team member has for his/her area, some sample code. I've not played with it, but I imagine that with a little customisation, blogs could even be spec or actual code repositories. There are adhoc and permanent chat rooms - with logs that can be used to document agreement on some action or other, or just for other folks to look at (e.g. for compliance). Team members can be around the globe and need no client software aside from a browser that can do SSL. All traffic to ubergroups is based on 128-bit SSL, with a Thawate cert.

Having had a play, the fim seems based in the US, on the west coast. There seems no option to adjust the time zone. Speed is not too bad, but the features do appear a bit on the light side. Cost, for works at a $5/user per month (for 11+ users ), and a bit less for fewer users. See their pricing page for details.

I hope this is a joke, but over at Silicon.com, Jo Best reports that Microsoft has
given Longhorn a red face. I suppose that's one way to get rid of Blue Screens Of Death. See a picture here and read Mary Jo's take here.

MS has announced both the MBSA 2.0 beta, but has also announced a
MBSA Webcast. Sadly, it's at 11:00 Redmond time, which means 19:00 here in the UK, but the web cast should be available for download later.

Tuesday, May 10, 2005

In two blog entries (here and here), I described the issues and one small solution, to the problem of removable device security. And Mitch Tulloch also wrote about the basic issue.

My original article was about the issues of locking down USB devices, which I thought at the time was key issue. But actually, the issues over portable devices extend beyond just USB thumb drives - it includes access to floppy disks, wi/fi devices, serial/parallell/usb/firewire ports, etc - anything a user can plug in. The question is how do you restrict people who shoudn't use external devices from doing so, while allowing those who should to have only their appropriate access? It's one more security nightmare, especially as Mitch points out, if XP has a driver for the device, an unprivaleged user can simply plug it in and away they go.

In a blog article for the UK Security Business Blog, I took a look at one solution: Ecora's DeviceLock. It has an Auditing Capability to audit user activity for a particular device type, a nice management tool, Group Policy integration and the ability to communicate through the firewall. The costs are $35/host (based on 1-49 hosts, off the US web site - UK firms would presumably need to add VAT). I assume deals can be done for larger numbers, or multinationals, etc.

Monday, May 09, 2005

As noted in a recent blog entry, I've been playing around with some Linux-based live-cds (CDs you can boot from without having to install Linux on your machine). Auditor is one live cd I downloaded and ran up on my Dell Inspiron 8600. I used a Toshiba PCMCIA (orinoco gold) card and within a few minutes, I had kismet up and running and sniffing traffic and could also use many of the other tools. Sadly, I can't seem to get Auditor to run on my old Dell Lattitude.

Saturday, May 07, 2005

The Register has an interesting article entitled Live CD paradise which describes the growing number of Linux LiveCDs - bootable Linux images. The cool thing about some of the security focused LiveCDs is is that they contain a huge array of security tools all one simple package. And as the CDs are bootable, you can run them directly on your laptop (or desktop) without having to load any OS software. You can find a full list of Live CDs at The Live CD List, which shows hundreds of ditros you can download and use pretty much immediately. Sixteen of the listed downloads are security related.

The Register's article discusses 5 separate security LiveCDs, including Knoppix and Auditor. According to the Register's article, Audiotr comes complete with working wireless sniffing tools (e.g. Kismet) that work out of the box - just boot your CD and so long as your wireless card is supported you can start sniffing. As soon as I've downloaded this CD, I'll be testing it out!

I've been working with Google's AdSense programme over the past few days. As eagle-eyed readers might have noticed, I've changed the left hand column on the blog, and have added a Google Search Bar and a set of 4 simple text ads. The intention is not to make money - I'm not allowed to tell you how lucrative or otherwise Google AdSense is anyway. Rather, my intention is to experiment with the medium and see how well it works (or not). I'm also interested in how well the ads match up in a web log (since the latter changes hopefuly on a fairly regular basis). I'd welcome comments by mail to tfl-google@psp.co.uk.

Thursday, May 05, 2005

Alina, one of my most valued colleges, has started up her Flying Unix blog. As a Unix person who flys light aeroplanes, I understand her blog title but others might not!

In her latest article
Good for you, Amazon Alina points out a book she bought for information on Solaris 10 that was less than satisfactory, and what Amazon did in response. Good for you Alina - in pointing out where the upgrade was covered more in the title page than anywhere, and good for Amazon to deal with a poor book.

Wednesday, May 04, 2005

In many buildings I've visited in London, Manchester and Edinburgh, I've found one or more wireless networks belonging to firms other than the one I was visiting. I've also found any number of wide open private wireless networks scattered around the place. In my own firm's head office, just outside the Chairman's office, I regularly see a network belonging to another firm. These other networks my laptop can see are, in the main, "protected" by the use of WEP, but some are wide open (or have a WEP key the same as the SSID). And with a bit of web suring, you might discover that certain firms have a standard SSID and WEP key for all their sites, which makes getting onto these networks trivial when you can stand outside and just leech the signal. In additon to the 802.11 networks, there are also bluetooth devices andd IR based devices in a number of public or semi public areas that are also potentially vulnerable.

So what's to be done? Several things really. First, as far as 802.11 goes, you should be investing in more advanced wireless security products as well as the use of smart cards, etc. WEP is easy to crack for the dedicated hacker who loads up a Linux laptop, and uses readily available tools. And since most firms using standard WEP are not likely to change WEP keys that often, WEP really is not adequate for preventing much more than casual usage attempts. For a look at the tools available, or perhaps to scare yourself silly as to how easy this might be, Google is your friend.

The use of WPA etc, make cracking 802.11 networks harder, but if you can avoid any RF signal from entering or leaving your site, you reduce if not emiminate the risks from the passer by attacker. A US firm,
Force Field Wireless has several products aimed at helping you to reduce the RF emisions. Their DefendAir Radio Shield paint, or your own paint mixed with Paint Additive, reduces the RF transmission through any paintable surface. With a few coats, you get little or no useful RF emsssions through walls, ceilings, etc. This might be an ideal product for use in a board room - although remember that the RF spectrum that is eliminated includes cell phones! And an office with no cell phones ringing is not all bad.

For the even more paranoid, a UK firm, Glasslock has special glass to reduce the the risk of evedropping via the glass.

These things are not a particularly cheap way of doing things. The paint additive is US$34.95 enough to mix with 1 gallon of your own paint, or buy ready mixed paint at US$69.95/US Gallon (128 fl oz). But there are places and uses for these things. And besides, even if you aren't paranoid, they're probably still out there looking to get to you, your network and your data.

Tuesday, May 03, 2005

The FontShop regularly features some free fonts you can download. From their Fre Fonts page, you can download several free fonts. Today the fonts include: Arnhem Bold (a nice bold serifed font), FF Nexus Sans Bold (a gold sans serifed font), Blackcurrant Cameo (a cute font but not for every day use) and FF Dingbests (a selectio of dignbap fonts - pictograms that can ve useful in a variety of communicatios).